save axoflow#5

modules/cef/CMakeLists.txt

@@ -2,11 +2,13 @@ set(CEF_SOURCES
     format-cef-extension.c
     format-cef-extension.h
     cef-plugin.c
-    parser.c
-    parser.h
-    parser-cfg.h
+    event-format-parser.c
+    event-format-parser.h
+    event-format-parser-cfg.h
     filterx-func-parse-cef.c
     filterx-func-parse-cef.h
+    filterx-func-parse-leef.c
+    filterx-func-parse-leef.h
 )
 
 add_module(

modules/cef/Makefile.am

@@ -5,11 +5,13 @@ EXTRA_DIST += modules/cef/CMakeLists.txt
 modules_cef_libcef_la_SOURCES	=	\
 	modules/cef/format-cef-extension.c	\
 	modules/cef/format-cef-extension.h	\
-	modules/cef/parser-cfg.h	\
-	modules/cef/parser.c	\
-	modules/cef/parser.h	\
+	modules/cef/event-format-parser-cfg.h	\
+	modules/cef/event-format-parser.c	\
+	modules/cef/event-format-parser.h	\
 	modules/cef/filterx-func-parse-cef.c	\
 	modules/cef/filterx-func-parse-cef.h	\
+	modules/cef/filterx-func-parse-leef.c	\
+	modules/cef/filterx-func-parse-leef.h	\
 	modules/cef/cef-plugin.c
 
 modules_cef_libcef_la_CFLAGS	=	\

modules/cef/cef-plugin.c

@@ -23,12 +23,14 @@
 #include "plugin.h"
 #include "plugin-types.h"
 #include "filterx-func-parse-cef.h"
+#include "filterx-func-parse-leef.h"
 #include "filterx/expr-function.h"
 
 static Plugin cef_plugins[] =
 {
   TEMPLATE_FUNCTION_PLUGIN(tf_cef, "format-cef-extension"),
   FILTERX_GENERATOR_FUNCTION_PLUGIN(parse_cef),
+  FILTERX_GENERATOR_FUNCTION_PLUGIN(parse_leef),
 };
 
 gboolean

modules/cef/parser-cfg.h → modules/cef/event-format-parser-cfg.h

@@ -21,28 +21,44 @@
  *
  */
 
-#ifndef CEF_PARSER_CFG_H_INCLUDED
-#define CEF_PARSER_CFG_H_INCLUDED
+#ifndef EVENT_FORMAT_PARSER_CFG_H_INCLUDED
+#define EVENT_FORMAT_PARSER_CFG_H_INCLUDED
 
 #include "filterx/filterx-object.h"
 
-typedef struct _FilterXFunctionParser FilterXFunctionParser;
+typedef enum _EventFormatLogType {
+    EVENFORMAT_LOGTYPE_CEF,
+    EVENFORMAT_LOGTYPE_LEEF,
+    EVENFORMAT_LOGTYPE_COUNT,
+} EventFormatLogType;
 
-typedef FilterXObject *(*FieldParser)(FilterXFunctionParser *parser, const gchar *value, GError **error, gpointer user_data);
+static gchar *EventFormatLogTypeSignatures[] = {
+    "CEF",
+    "LEEF",
+};
+
+typedef struct _FilterXFunctionEventFormatParser FilterXFunctionEventFormatParser;
+
+typedef FilterXObject *(*FieldParser)(FilterXFunctionEventFormatParser *parser, const gchar *value, GError **error, gpointer user_data);
 
 typedef struct _Field {
     const gchar *name;
     FieldParser field_parser;
 } Field;
 
 typedef struct _Config {
-    const gchar *signature; // CEF or LEEF
+    EventFormatLogType log_type;
     const gchar *delimiters;
     size_t num_fields;
     gchar extensions_value_separator;
     const gchar *extensions_pair_separator;
-    Field *fields; // field names and handlers
+    Field *fields;
 } Config;
 
+static inline gchar* signature_for_logtype(EventFormatLogType log_type)
+{
+    g_assert(log_type < EVENFORMAT_LOGTYPE_COUNT);
+    return EventFormatLogTypeSignatures[log_type];
+}
 
 #endif

modules/cef/parser.c → modules/cef/event-format-parser.c

@@ -22,8 +22,8 @@
  *
  */
 
-#include "parser.h"
 #include <string.h>
+#include "event-format-parser.h"
 #include "filterx-func-parse-cef.h"
 #include "filterx/object-string.h"
 #include "filterx/object-primitive.h"
@@ -41,36 +41,35 @@
 #include "filterx/object-string.h"
 
 Field
-field(FilterXFunctionParser *self, int index)
+field(FilterXFunctionEventFormatParser *self, int index)
 {
   g_assert(index >= 0 && index < self->config.num_fields);
   return self->config.fields[index];
 }
 
 static FilterXObject *
-parse_default(FilterXFunctionParser *self, const gchar *value, GError **error, gpointer user_data)
+parse_default(FilterXFunctionEventFormatParser *self, const gchar *value, GError **error, gpointer user_data)
 {
   return filterx_string_new(value, -1);
 }
 
 FilterXObject *
-parse_version(FilterXFunctionParser *self, const gchar *value, GError **error, gpointer user_data)
+parse_version(FilterXFunctionEventFormatParser *self, const gchar *value, GError **error, gpointer user_data)
 {
-  const gchar *log_signature = self->config.signature;
+  const gchar *log_signature = signature_for_logtype(self->config.log_type);
   gchar *colon_pos = strchr(value, ':');
   if (!colon_pos || colon_pos == value)
   {
     // TODO: fix error type, id, message
     g_set_error(error, FILTERX_FUNCTION_ERROR, 444,
-                FX_CEF_PARSER_ERR_NO_LOG_SING, log_signature);
+                EVENT_FORMAT_PARSER_ERR_NO_LOG_SING, log_signature);
     return FALSE;
   }
-
   if (!strncmp(value, log_signature, colon_pos - value) == 0)
   {
     // TODO: fix error type, id, message
     g_set_error(error, FILTERX_FUNCTION_ERROR, 444,
-                FX_CEF_PARSER_ERR_LOG_SIGN_DIFFERS, value, log_signature);
+                EVENT_FORMAT_PARSER_ERR_LOG_SIGN_DIFFERS, value, log_signature);
     return FALSE;
   }
   return filterx_string_new(++colon_pos, -1);
@@ -92,7 +91,7 @@ _set_dict_value(FilterXObject *out,
 }
 
 FilterXObject *
-parse_extensions(FilterXFunctionParser *self, const gchar *input, GError **error, gpointer user_data)
+parse_extensions(FilterXFunctionEventFormatParser *self, const gchar *input, GError **error, gpointer user_data)
 {
   FilterXObject *fillable = (FilterXObject*)user_data;
   FilterXObject *output = filterx_object_create_dict(fillable);
@@ -118,7 +117,7 @@ parse_extensions(FilterXFunctionParser *self, const gchar *input, GError **error
 }
 
 static inline gboolean
-_fill_object_col(FilterXFunctionParser *self, gint64 index, const gchar *input, FilterXObject *fillable, GError **error)
+_fill_object_col(FilterXFunctionEventFormatParser *self, gint64 index, const gchar *input, FilterXObject *fillable, GError **error)
 {
   Field f = field(self, index);
   FilterXObject *key = filterx_string_new(f.name, -1);
@@ -139,18 +138,18 @@ _fill_object_col(FilterXFunctionParser *self, gint64 index, const gchar *input,
 }
 
 gboolean
-parse(FilterXFunctionParser *self, const gchar *log, FilterXObject *fillable, GError **error)
+parse(FilterXFunctionEventFormatParser *self, const gchar *log, FilterXObject *fillable, GError **error)
 {
   gboolean ok = FALSE;
-  size_t nfields = self->config.num_fields;
+  gsize num_fields = self->config.num_fields;
 
   CSVScanner csv_scanner;
   csv_scanner_init(&csv_scanner, &self->csv_opts, log);
 
   guint64 i = 0;
   while (csv_scanner_scan_next(&csv_scanner))
     {
-        if (i >= nfields)
+        if (i >= num_fields)
           break;
 
         const gchar *input = csv_scanner_get_current_value(&csv_scanner);
@@ -166,7 +165,7 @@ parse(FilterXFunctionParser *self, const gchar *log, FilterXObject *fillable, GE
   if (i < self->csv_opts.expected_columns)
     {
       g_set_error(error, FILTERX_FUNCTION_ERROR, 444,
-                FX_CEF_PARSER_ERR_MISSING_COLUMNS, i, self->config.num_fields);
+                EVENT_FORMAT_PARSER_ERR_MISSING_COLUMNS, i, self->config.num_fields);
     }
 
 
@@ -179,7 +178,7 @@ parse(FilterXFunctionParser *self, const gchar *log, FilterXObject *fillable, GE
 static gboolean
 _generate(FilterXExprGenerator *s, FilterXObject *fillable)
 {
-  FilterXFunctionParser *self = (FilterXFunctionParser *) s;
+  FilterXFunctionEventFormatParser *self = (FilterXFunctionEventFormatParser *) s;
   gboolean ok = FALSE;
 
   FilterXObject *obj = filterx_expr_eval(self->msg);
@@ -212,7 +211,7 @@ _generate(FilterXExprGenerator *s, FilterXObject *fillable)
 static void
 _free(FilterXExpr *s)
 {
-  FilterXFunctionParser *self = (FilterXFunctionParser *) s;
+  FilterXFunctionEventFormatParser *self = (FilterXFunctionEventFormatParser *) s;
   filterx_expr_unref(self->msg);
   csv_scanner_options_clean(&self->csv_opts);
   filterx_generator_function_free_method(&self->super);
@@ -234,7 +233,7 @@ _extract_msg_expr(FilterXFunctionArgs *args, GError **error)
 }
 
 static gboolean
-_extract_args(FilterXFunctionParser *self, FilterXFunctionArgs *args, GError **error)
+_extract_args(FilterXFunctionEventFormatParser *self, FilterXFunctionArgs *args, GError **error)
 {
   gsize args_len = filterx_function_args_len(args);
   if (args_len != 1)
@@ -258,7 +257,7 @@ _create_container(FilterXExprGenerator *s, FilterXExpr *fillable_parent)
 }
 
 gboolean
-filterx_function_parser_init_instance(FilterXFunctionParser *self, const gchar *fn_name, FilterXFunctionArgs *args, GError **error)
+filterx_function_parser_init_instance(FilterXFunctionEventFormatParser *self, const gchar *fn_name, FilterXFunctionArgs *args, GError **error)
 {
   filterx_generator_function_init_instance(&self->super, fn_name);
   self->super.super.generate = _generate;
@@ -272,7 +271,7 @@ filterx_function_parser_init_instance(FilterXFunctionParser *self, const gchar *
 }
 
 void
-filterx_function_parser_set_config(FilterXFunctionParser *self, Config *cfg)
+filterx_function_parser_set_config(FilterXFunctionEventFormatParser *self, Config *cfg)
 {
   g_assert(cfg);
   self->config = *cfg;
@@ -281,13 +280,12 @@ filterx_function_parser_set_config(FilterXFunctionParser *self, Config *cfg)
   csv_scanner_options_set_dialect(&self->csv_opts, CSV_SCANNER_ESCAPE_UNQUOTED_DELIMITER);
   csv_scanner_options_set_expected_columns(&self->csv_opts, cfg->num_fields);
   self->csv_opts.flags |= CSV_SCANNER_GREEDY;
-  // self->csv_opts.flags |= CSV_SCANNER_STRIP_WHITESPACE;
 }
 
 FilterXExpr *
 filterx_function_parse_new(FilterXFunctionArgs *args, GError **error)
 {
-  FilterXFunctionParser *self = g_new0(FilterXFunctionParser, 1);
+  FilterXFunctionEventFormatParser *self = g_new0(FilterXFunctionEventFormatParser, 1);
   if (!filterx_function_parser_init_instance(self, "parser", args, error))
     goto error;
 

modules/cef/parser.h → modules/cef/event-format-parser.h

@@ -21,8 +21,8 @@
  *
  */
 
-#ifndef CEF_PARSER_H_INCLUDED
-#define CEF_PARSER_H_INCLUDED
+#ifndef EVENT_FORMAT_PARSER_H_INCLUDED
+#define EVENT_FORMAT_PARSER_H_INCLUDED
 
 #include "syslog-ng.h"
 #include "str-utils.h"
@@ -33,26 +33,26 @@
 #include "parser/parser-expr.h"
 #include "scanner/kv-scanner/kv-scanner.h"
 
-#include "parser-cfg.h"
+#include "event-format-parser-cfg.h"
 
-#define FX_CEF_PARSER_ERR_NO_LOG_SING "no log signature %s found"
-#define FX_CEF_PARSER_ERR_LOG_SIGN_DIFFERS "the log signature differs. actual:%s expected:%s"
-#define FX_CEF_PARSER_ERR_MISSING_COLUMNS "not enough header columns provided. actual:%ld expected:%ld"
+#define EVENT_FORMAT_PARSER_ERR_NO_LOG_SING "no log signature %s found"
+#define EVENT_FORMAT_PARSER_ERR_LOG_SIGN_DIFFERS "the log signature differs. actual:%s expected:%s"
+#define EVENT_FORMAT_PARSER_ERR_MISSING_COLUMNS "not enough header columns provided. actual:%ld expected:%ld"
 
-struct _FilterXFunctionParser {
+struct _FilterXFunctionEventFormatParser {
     FilterXGeneratorFunction super;
     FilterXExpr *msg;
     CSVScannerOptions csv_opts;
     Config config;
 };
 
 FilterXExpr *filterx_function_parse_new(FilterXFunctionArgs *args, GError **error);
-gboolean filterx_function_parser_init_instance(FilterXFunctionParser *s, const gchar *fn_name, FilterXFunctionArgs *args, GError **error);
-void filterx_function_parser_set_config(FilterXFunctionParser *s, Config *config);
+gboolean filterx_function_parser_init_instance(FilterXFunctionEventFormatParser *s, const gchar *fn_name, FilterXFunctionArgs *args, GError **error);
+void filterx_function_parser_set_config(FilterXFunctionEventFormatParser *s, Config *config);
 
-gboolean parse(FilterXFunctionParser *parser, const gchar *log, FilterXObject *fillable, GError **error);
+gboolean parse(FilterXFunctionEventFormatParser *parser, const gchar *log, FilterXObject *fillable, GError **error);
 
-FilterXObject *parse_version(FilterXFunctionParser *parser, const gchar *value, GError **error, gpointer user_data);
-FilterXObject *parse_extensions(FilterXFunctionParser *parser, const gchar *input, GError **error, gpointer user_data);
+FilterXObject *parse_version(FilterXFunctionEventFormatParser *parser, const gchar *value, GError **error, gpointer user_data);
+FilterXObject *parse_extensions(FilterXFunctionEventFormatParser *parser, const gchar *input, GError **error, gpointer user_data);
 
 #endif

modules/cef/filterx-func-parse-cef.c

@@ -43,7 +43,7 @@
 #include "scratch-buffers.h"
 #include "str-utils.h"
 #include "scanner/kv-scanner/kv-scanner.h"
-#include "parser.h"
+#include "event-format-parser.h"
 
 static Field cef_fields[] = {
   { .name = "version", .field_parser = parse_version},
@@ -58,7 +58,7 @@ static Field cef_fields[] = {
 
 typedef struct FilterXFunctionParseCEF_
 {
-  FilterXFunctionParser super;
+  FilterXFunctionEventFormatParser super;
 } FilterXFunctionParseCEF;
 
 
@@ -71,7 +71,7 @@ filterx_function_parse_cef_new(FilterXFunctionArgs *args, GError **error)
 
   Config cfg = {
     .delimiters = "|",
-    .signature = "CEF",
+    .log_type = EVENFORMAT_LOGTYPE_CEF,
     .num_fields = 8,
     .extensions_value_separator = '=',
     .extensions_pair_separator = "  ",
@@ -103,3 +103,5 @@ FILTERX_GENERATOR_FUNCTION(parse_cef, filterx_function_parse_cef_new);
 
 
 // CEF:0|Kaspersky\|Lab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|rt=1647626887000 cs9=site location Bldg cs9\=Label=GroupName dhost=WS6465 dst=10.55.203.12 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs10=Uninstall EDR cs10Label="Task\=Name" cs4=885 cs4Label=Task\=Id cn2=4 cn2Label=Task NewState cn1=0 cn1Label=TaskOldState
+
+// CEF:0|KasperskyLab|SecurityCenter|13.2.0.1511|KLPRCI_TaskState|Completed successfully|1|foo bar=tik\=tak filePath=/user/username/dir/my file name.txt filePath2=/user/username/dir/my file name.txt